A method and device for matching security policies

A security policy and matching technology, applied in the field of network security, can solve the problems of low efficiency of security policy matching, construction of dictionary trees, accelerated matching of communication messages, etc.

Active Publication Date: 2021-04-16
NEW H3C SECURITY TECH CO LTD
View PDF6 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, when the address object group of an IP address matching item in the security policy contains non-consecutive wildcard mask objects, the network device cannot construct a dictionary tree based on the non-consecutive wildcard mask objects, and thus cannot perform accelerated matching on communication packets. The matching efficiency of security policies is low

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A method and device for matching security policies
  • A method and device for matching security policies
  • A method and device for matching security policies

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0080] The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

[0081] The embodiment of the present application provides a method for matching security policies, which can be applied to network devices. Wherein, the network device may be a firewall, an intrusion prevention system (English: Intrusion Prevention System, IPS for short) device, and the like. Currently, when a network device receives a communication packet, it can filter the communication packet based on a pre-configured security policy. The security policy m...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

Embodiments of the present invention provide a method and device for matching security policies, which relate to the technical field of network security. The method includes: receiving a communication message; performing accelerated matching on the communication message according to a dictionary tree corresponding to each matching item stored in advance Process to obtain the first matching result of each matching item of each matching rule; in each matching rule, determine that the first matching result of other matching items except the IP address matching item is the first matching rule of matching; if the first matching If there is a target IP address matching item whose first matching result is a mismatch among the IP address matching items of the rule, then the communication message is matched according to the discontinuous wildcard mask object in the address object group of the target IP address matching item, A second matching result of the target IP address matching item is obtained, and a matching result of the first matching rule is determined according to the second matching result of the target IP address matching item. The application can improve the matching efficiency of security policies.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a method and device for matching security policies. Background technique [0002] Currently, when a network device receives a communication packet, it can filter the communication packet based on a pre-configured security policy. The security policy can include at least one matching rule (rule), and each matching rule can include at least one matching item. For example, the matching item can include a source Internet Protocol (English: Internet Protocol, referred to as: IP) address matching item, a destination IP address matching item, and a matching item. item, source port matching item, destination port matching item, protocol type matching item and Svr (sever, service) matching item, etc. [0003] For any matching rule, the network device can match the communication packet (such as source IP address, destination IP address, source port number, etc.) according to the ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): H04L29/06H04L29/12
CPCH04L61/2503H04L61/2557H04L63/0236H04L63/0263
Inventor 仇宏迪
Owner NEW H3C SECURITY TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap